To support gitURLs for "apply" command

[viveksahu26]

Explanation

This PR adds support for apply command to apply policies from gitURLs on cluster resources.

Related issue

Closes #3822

Milestone of this PR

/milestone 1.9.0

What type of PR is this

/kind enhancement

Proposed Changes

1. Support policies directly from gitURLs
   kyverno apply https://github.com/kyverno/policies/openshift/ --git-branch main --cluster

2. Addition of new Flags in apply command ---> --git-branch or -b

3. Supports policies from particular folders ("openshift" or "/openshift/team-validate-ns-name/" , "best-practices", "cert-manager" , etc)

   Example:
   kyverno apply https://github.com/kyverno/policies/openshift/team-validate-ns-name/ --git-branch main --cluster

Generalized Form:
kyverno apply https://github.com/{owner}/{repository}/{directory} --git-branch {branch} --cluster

Where,
owner could be "kyverno" or any username
repository would be "policies"
directory could be "openshift" or "openshift/team-validate-ns-name/" or "pod-security", etc
branch could be "main", or "master", or "release-1.8" or "release-1.7"

Proof Manifests

linuzz@HP:~/go/src/github.com/kyverno/kyverno$ kyverno  apply https://github.com/kyverno/policies/pod-security/baseline/  --git-branch   main   --cluster
Enumerating objects: 801, done.
Counting objects: 100% (801/801), done.
Compressing objects: 100% (650/650), done.
Total 801 (delta 171), reused 505 (delta 145), pack-reused 0
failed to process : resource Pod/badpod01 is not a Policy or a ClusterPolicyfailed to process : resource Pod/badpod01 is not a Policy or a ClusterPolicyfailed to process : resource Pod/badpod01 is not a Policy or a ClusterPolicyfailed to process : resource Pod/badpod01 is not a Policy or a ClusterPolicyfailed to process : resource Pod/badpod01 is not a Policy or a ClusterPolicyfailed to process : resource Pod/badpod01 is not a Policy or a ClusterPolicyfailed to process : resource Pod/badpod01 is not a Policy or a ClusterPolicyfailed to process : resource Pod/badpod01 is not a Policy or a ClusterPolicyfailed to process : resource Pod/badpod01 is not a Policy or a ClusterPolicyfailed to process : resource Pod/badpod01 is not a Policy or a ClusterPolicyfailed to process : resource Pod/badpod01 is not a Policy or a ClusterPolicyfailed to process : resource Pod/badpod01 is not a Policy or a ClusterPolicy
Applying 13 policy rules to 16 resources...

policy disallow-capabilities -> resource kube-system/Pod/kindnet-k4wvm failed: 
1. adding-capabilities: Any capabilities added beyond the allowed list (AUDIT_WRITE, CHOWN, DAC_OVERRIDE, FOWNER, FSETID, KILL, MKNOD, NET_BIND_SERVICE, SETFCAP, SETGID, SETPCAP, SETUID, SYS_CHROOT) are disallowed. 

policy disallow-capabilities -> resource kube-system/DaemonSet/kindnet failed: 
1. autogen-adding-capabilities: Any capabilities added beyond the allowed list (AUDIT_WRITE, CHOWN, DAC_OVERRIDE, FOWNER, FSETID, KILL, MKNOD, NET_BIND_SERVICE, SETFCAP, SETGID, SETPCAP, SETUID, SYS_CHROOT) are disallowed. 

policy disallow-host-namespaces -> resource kube-system/DaemonSet/kube-proxy failed: 
1. autogen-host-namespaces: validation error: Sharing the host namespaces is disallowed. The fields spec.hostNetwork, spec.hostIPC, and spec.hostPID must be unset or set to `false`. rule autogen-host-namespaces failed at path /spec/template/spec/hostNetwork/ 

policy disallow-host-namespaces -> resource kube-system/Pod/kindnet-k4wvm failed: 
1. host-namespaces: validation error: Sharing the host namespaces is disallowed. The fields spec.hostNetwork, spec.hostIPC, and spec.hostPID must be unset or set to `false`. rule host-namespaces failed at path /spec/hostNetwork/ 

policy disallow-host-namespaces -> resource kube-system/Pod/kube-controller-manager-1.7-control-plane failed: 
1. host-namespaces: validation error: Sharing the host namespaces is disallowed. The fields spec.hostNetwork, spec.hostIPC, and spec.hostPID must be unset or set to `false`. rule host-namespaces failed at path /spec/hostNetwork/ 

policy disallow-host-namespaces -> resource kube-system/Pod/kube-scheduler-1.7-control-plane failed: 
1. host-namespaces: validation error: Sharing the host namespaces is disallowed. The fields spec.hostNetwork, spec.hostIPC, and spec.hostPID must be unset or set to `false`. rule host-namespaces failed at path /spec/hostNetwork/ 

policy disallow-host-namespaces -> resource kube-system/Pod/kube-apiserver-1.7-control-plane failed: 
1. host-namespaces: validation error: Sharing the host namespaces is disallowed. The fields spec.hostNetwork, spec.hostIPC, and spec.hostPID must be unset or set to `false`. rule host-namespaces failed at path /spec/hostNetwork/ 

policy disallow-host-namespaces -> resource kube-system/Pod/kube-proxy-xv5vz failed: 
1. host-namespaces: validation error: Sharing the host namespaces is disallowed. The fields spec.hostNetwork, spec.hostIPC, and spec.hostPID must be unset or set to `false`. rule host-namespaces failed at path /spec/hostNetwork/ 

policy disallow-host-namespaces -> resource kube-system/DaemonSet/kindnet failed: 
1. autogen-host-namespaces: validation error: Sharing the host namespaces is disallowed. The fields spec.hostNetwork, spec.hostIPC, and spec.hostPID must be unset or set to `false`. rule autogen-host-namespaces failed at path /spec/template/spec/hostNetwork/ 

policy disallow-host-namespaces -> resource kube-system/Pod/etcd-1.7-control-plane failed: 
1. host-namespaces: validation error: Sharing the host namespaces is disallowed. The fields spec.hostNetwork, spec.hostIPC, and spec.hostPID must be unset or set to `false`. rule host-namespaces failed at path /spec/hostNetwork/ 

policy disallow-host-path -> resource kube-system/DaemonSet/kube-proxy failed: 
1. autogen-host-path: validation error: HostPath volumes are forbidden. The field spec.volumes[*].hostPath must be unset. rule autogen-host-path failed at path /spec/template/spec/volumes/1/hostPath/ 

policy disallow-host-path -> resource kube-system/Pod/kindnet-k4wvm failed: 
1. host-path: validation error: HostPath volumes are forbidden. The field spec.volumes[*].hostPath must be unset. rule host-path failed at path /spec/volumes/0/hostPath/ 

policy disallow-host-path -> resource kube-system/Pod/kube-controller-manager-1.7-control-plane failed: 
1. host-path: validation error: HostPath volumes are forbidden. The field spec.volumes[*].hostPath must be unset. rule host-path failed at path /spec/volumes/0/hostPath/ 

policy disallow-host-path -> resource kube-system/Pod/kube-scheduler-1.7-control-plane failed: 
1. host-path: validation error: HostPath volumes are forbidden. The field spec.volumes[*].hostPath must be unset. rule host-path failed at path /spec/volumes/0/hostPath/ 

policy disallow-host-path -> resource kube-system/Pod/kube-apiserver-1.7-control-plane failed: 
1. host-path: validation error: HostPath volumes are forbidden. The field spec.volumes[*].hostPath must be unset. rule host-path failed at path /spec/volumes/0/hostPath/ 

policy disallow-host-path -> resource kube-system/Pod/kube-proxy-xv5vz failed: 
1. host-path: validation error: HostPath volumes are forbidden. The field spec.volumes[*].hostPath must be unset. rule host-path failed at path /spec/volumes/1/hostPath/ 

policy disallow-host-path -> resource kube-system/DaemonSet/kindnet failed: 
1. autogen-host-path: validation error: HostPath volumes are forbidden. The field spec.volumes[*].hostPath must be unset. rule autogen-host-path failed at path /spec/template/spec/volumes/0/hostPath/ 

policy disallow-host-path -> resource kube-system/Pod/etcd-1.7-control-plane failed: 
1. host-path: validation error: HostPath volumes are forbidden. The field spec.volumes[*].hostPath must be unset. rule host-path failed at path /spec/volumes/0/hostPath/ 

policy disallow-privileged-containers -> resource kube-system/DaemonSet/kube-proxy failed: 
1. autogen-privileged-containers: validation error: Privileged mode is disallowed. The fields spec.containers[*].securityContext.privileged and spec.initContainers[*].securityContext.privileged must be unset or set to `false`. rule autogen-privileged-containers failed at path /spec/template/spec/containers/0/securityContext/privileged/ 

policy disallow-privileged-containers -> resource kube-system/Pod/kube-proxy-xv5vz failed: 
1. privileged-containers: validation error: Privileged mode is disallowed. The fields spec.containers[*].securityContext.privileged and spec.initContainers[*].securityContext.privileged must be unset or set to `false`. rule privileged-containers failed at path /spec/containers/0/securityContext/privileged/ 

pass: 188, fail: 20, warn: 0, error: 0, skip: 416 
exit status 1

Checklist

• I have read the contributing guidelines.
• I have read the PR documentation guide and followed the process including adding proof manifests to this PR.
• This is a bug fix and I have added unit tests that prove my fix is effective.
• This is a feature and I have added CLI tests that are applicable.
• My PR needs to be cherry picked to a specific release branch which is .
• My PR contains new or altered behavior to Kyverno and
  • CLI support should be added and my PR doesn't contain that functionality.
  • I have added or changed the documentation myself in an existing PR and the link is:
  • I have raised an issue in kyverno/website to track the documentation update and the link is:

Further Comments

[codecov]

Codecov Report

Merging #4502 (ca63c64) into main (f8ed1a9) will increase coverage by 0.09%.
The diff coverage is 56.36%.

@@            Coverage Diff             @@
##             main    #4502      +/-   ##
==========================================
+ Coverage   36.50%   36.59%   +0.09%     
==========================================
  Files         173      173              
  Lines       19321    19375      +54     
==========================================
+ Hits         7053     7091      +38     
- Misses      11469    11477       +8     
- Partials      799      807       +8     

Impacted Files	Coverage Δ
cmd/cli/kubectl-kyverno/apply/apply_command.go	26.46% <43.75%> (+4.35%)	⬆️
cmd/cli/kubectl-kyverno/utils/common/common.go	16.32% <73.91%> (+1.64%)	⬆️

📣 We’re building smart automated test selection to slash your CI/CD build times. Learn more

[viveksahu26]

Why these test cases failing? Any idea?

[viveksahu26]

@vyankyGH , can you help me here. Why these test are failing ?

[eddycharly]

These are linter errors, they are explained in the files changed tab.

[viveksahu26]

These are linter errors, they are explained in the files changed tab.

Hey @eddycharly , still could not figure out linter errors. Can you please explain in bit detail how to resolve it.

[viveksahu26]

Hey @realshuting , need your help to resolve test cases failing ?

[eddycharly]

@viveksahu26 all linter errors are visible in the Files changed tab of this PR.
You need to change the code to get the linter happy.

[viveksahu26]

Hi @eddycharly , getting these lines Added line #L156 was not covered by tests at many places, Is it talking about e2e test or something else?

[vyankyGH]

Hi @eddycharly , getting these lines Added line #L156 was not covered by tests at many places, Is it talking about e2e test or something else?

@viveksahu26 those are not mandatory. can you please fix one with test which is failing with resolves conflicts

[vyankyGH]

@viveksahu26 can you please fix one with test which is failing with resolves conflicts

[realshuting]

@vyankyGH - any additional comments? Let's get these PRs merged asap to avoid further conflicts.

[eddycharly]

@viveksahu26 sorry for the late reply, can you resolve conflicts please ?

[eddycharly]

Thanks @viveksahu26, let's get this in !

fixed